Ransomware Roundup: 02.25.22

It comes as no surprise that we’re seeing ransomware attacks against Ukraine this week and while attribution is usually a fool’s errand, it’s not a stretch to assume these attacks help one very specific actor.

The use of ransomware as a cover for HermeticWiper has been noted by several firms, most notably Symantec, ESET, and SentinelOne who have provided excellent write-ups on the samples. The malware leverages drivers for a popular disk management application, uses seemingly legitimate code-signing certificates, and was compiled several months before the current crisis in Ukraine - take what you will from that last fact. Reports indicate that several sectors were targeted including financial, defense, aviation, and IT services and that ransomware was used as a cover story with the real intent being to destroy data.

Politco reports that the Conti team has vowed to support the Russian government and would use “all possible resources to strike back at the critical infrastructure of an enemy”. The group behind the ever-popular Conti ransomware is best known for hitting hospitals around the world last year.

NBC and others report that President Joe Biden was presented with cyberattack options to disrupt Russian military operations in Ukraine including cyber effects that impact power, transport, and resupply logistics. In response to additional Russian sanctions, the White House via DHS has started to warn business about the possibility of ransomware attacks as retaliation with CISA issuing a "shields up" alert.

Big Mac fans will be dismayed by a report that the Snatch gang hit McDonald's and is holding ~500GB of corporate data for ransom.

It will not be an easy weekend for SOC teams and IT departments, please send your security colleagues plenty of caffeine-infused beverages.

Ransomware Roundup: 07.01.22

A conviction in the fight against ransomware, LockBit announces a bug bounty program (seriously) and ransomware is named the greatest cybersecurity threat - surprising no one.

Read the Blog
No items found.

This week’s round up…

  • It seems like a great side hustle … until it lands you in prison
  • The updated version of AstraLocker is looking for a quick payout
  • UK’s NCSC names the greatest cybersecurity threat of our times
  • Vice Society takes down a medical university
  • So, we found a reason to jeer at a bug bounty program
  • CISA offers warning about MedusaLocker

It seems like a great side hustle … until it lands you in prison

A ransomware affiliate pled guilty to charges in an all too rare instance of legal action against a cybercriminal. Jonathan Greig at The Record Reported that Canada extradited Sebastien Vachon-Desjardins of Quebec to the United States in March 2022 and worked with the NetWalker group to extort a company in Florida.

“United States Attorney for the Middle District of Florida Roger Handberg said Vachon-Desjardins has agreed to plead guilty to four charges: Conspiracy to Commit Computer Fraud, Conspiracy to Commit Wire Fraud, Intentional Damage to a Protected Computer and Transmitting a Demand in Relation to Damaging a Protected Computer,” Greig wrote.

It should be noted that Vachon-Desjardins cybercriminal enterprises were a side hustle and he worked fulltime – wait for it - "for the Canadian government as an IT employee while conducting ransomware attacks on behalf of NetWalker,” Greig reported.

A Canadian court sentenced Vachon-Desjardins to seven years in prison on separate charges in Feb. 2022.  

The updated version of AstraLocker is looking for a quick payout

Lindsey O’Donnell-Welch at Decipher by Duo reported on an updated version of the AstraLocker that can be delivered directly from infected Microsoft Office files. According to the article, the intent is “an unusually quick delivery method leading researchers to believe that the threat actor behind the ransomware is solely interested in making a big impact and receiving a quick payout.”  

“Typically, affiliate threat actors avoid pushing ransomware early, opting instead to push files that allow them to expand their reach within the target environment,” O'Donnell-Welch quoted Joseph Edwards, a researcher with ReversingLabs. “Ransomware almost invariably is deployed last, after compromising the victim's Domain Controller(s), which enables the cybercriminals to use the domain controller (for example: Active Directory) to deploy a group policy object and encrypt all hosts in the affected domains.”

UK’s NCSC names the greatest cybersecurity threat of our times

The United Kingdom’s National Cyber Security Centre declared ransomware the greatest global cybersecurity threat. Danny Palmer at ZDNet reported that “the volume of ransomware has risen significantly with the amount of detected activity in the first quarter of 2022 more than three times what was detected during the same period last year.”

"Even with a war raging in Ukraine – the biggest global cyber threat we still face is ransomware. That tells you something of the scale of the problem. Ransomware attacks strike hard and fast. They are evolving rapidly, they are all-pervasive, they're increasingly offered by gangs as a service, lowering the bar for entry into cyber crime," Palmer quoted Lindy Cameron, CEO of the NCSC.

Vice Society takes down a medical university

Vice Society – the group that claimed responsibility for extorting the Italian city of Palermo – scored another victim this week. Bill Toulas at Bleeping Computer reports that the cybercriminal group attacked the Medical University of Innsbruck, which “caused severe IT service disruption and the alleged theft of data.”

“On June 21, 2022, the university's IT team proceeded to reset all 3,400 students' and 2,200 employees' account passwords and called everyone to go through a manual process of personally collecting their new credentials.

“In the days that followed, the university gradually restored its online services and returned operations to its main site, which had previously been initially taken offline,” Toulas reported.

Vice Society have been particularly active lately, including “a college in the UK, a hospital in Italy, and two universities in the UK. This makes the Medical University of Innsbruck the fifth disclosed European victim of Vice in the past month” according to Toulas.

So, we found a reason to jeer at a bug bounty program

Usually, the launch of a bug bounty program is a cause for celebration. Unless a ransomware gang announces it, in which case … disgusting.

Adam Janofsky at The Record by Recorded Future reported that the LockBit gang recently released the third version of its ransomware and a new bug bounty program, which ostensibly seeks to crowdsource the improvement of the malware – again, disgusting.

“Although few details were provided about technical changes to the ransomware-as-a-service operation, the group said it was inviting all security researchers and hackers to participate in its bug bounty program, which allegedly offers rewards ranging from $1,000 to $1 million. The group is seeking website bugs, locker errors, and ideas to improve the group’s software, among other things. A $1 million bounty is reserved for discovering the true name of the affiliate program manager, known as LockBitSupp,” Janofsky reported.

CISA offers warning about MedusaLocker

The United States Cybersecurity & Infrastructure Agency (CISA) released an alert about MedusaLocker. The RaaS gang targets specific vulnerabilities and the CISA notice includes indicators of compromise, MITRE ATT&CK Techniques and mitigation details to enable organizations to reduce the risk of infection.

“Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks,” CISA wrote in the alert.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Netwalker ransomware affiliate agrees to plead guilty to hacking charges.  

Catalin Cimpanu at The Record - Recorded Future for their reporting on NetWalker ransomware affiliate sentenced to seven years in prison.

Lindsey O’Donnell-Welch at Deciper by Duo for their reporting on AstraLocker Ransomware Spread in ‘Smash and Grab’ Attacks.

Joseph Edwards at ReversingLabs  for their research on Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs.

Danny Palmer at ZDNet for their reporting on Ransomware is the biggest global cyber threat. And the attacks are still evolving.

Bill Toulas at Bleeping Computer for their reporting on Vice Society claims ransomware attack on Med. University of Innsbruck.

Adam Janofsky at The Record - Recorded Future for their reporting on LockBit adds a bug bounty program in its revamped ransomware-as-a-service operation.

Cybersecurity & Infrastructure Security Agency for their #StopRansomware: MedusaLocker alert.

Ransomware Roundup: 07.22.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

Welcome back to this week’s round up…

Ransom City Blues

Corin Faife at The Verge reports that a small Canadian town, St. Marys, Ontario has been hit by the LockBit group. According to the report, most of the essential services in the town of 7,500 were not impacted but screenshots from the leak site show possible impact to finance, health and safety, sewage treatment, property files and public works. St. Marys is unfortunately not alone in this recent spurt of LockBit activity as the town of Frederick, Colorado’s data is also listed as compromised by the group.

School of Hard Knocks

According to a recent Sophos survey of 5,600 IT workers representing 410 colleges and universities across the globe, nearly 75% of these institutions suffered from successful ransomware attacks.

This astounding statistic (unfortunately) shows that higher education institutions are a rich and profitable hunting ground for ransomware groups with a success rate greater than healthcare or even financial services. As attackers run up against better defenses in other market segments, they will look for targets that, for a variety of reasons, do not commit the necessary resources to protecting their infrastructure. If you’ve been in cybersecurity for long enough, this will not come as a surprise – even with specific education-centric discounted programs the adoption of new cybersecurity products and services in education has always lagged other segments.

Twisted Metal

As we’ve written about in previous Ransomware Roundups, ransomware targeting ESXi environments continues to grow.

While it’s one thing to ransom an endpoint, targeting bare-metal hypervisors that host multiple VMs or even clusters of hosts can have devastating results. DarkReading has an excellent roundup of the growth in Luna and BlackBasta that have cross-platform capabilities to target Windows, Linux and ESXi systems. VMware has disclosed several critical vulnerabilities this year that attackers have been taking advantage of.

It’s yet to be seen whether the targeting of ESXi is driven solely by the opportunity these vulns have provided or if these groups are intentionally going after a new and lucrative market segment.

Ransomware goes Freemium

Getting traction with a new product in a crowded market is always difficult, it’s why Product Led Growth (PLG) is such a hot topic with SaaS companies over the last few years. So, it only makes sense that an up-and-coming group would simply give their ransomware away for free, the stipulation being a higher cut on commission. With Redeemer 2.0’s release, the barrier for entry for anyone to kick off a ransomware campaign has never been lower. Plus, the group has stated if the adoption rate isn’t high enough, they’ll just open source the entire project. What a wonderful new world we’re living in.

Down the Drain

There are reports coming in that an organization that runs sewer systems in the Providence and Blackstone Valley areas of Rhode Island was hit by a yet-to-be-known cyberattack, rumored to be ransomware. While details are scant, the crossover from cyber into physical systems has seemingly been increasing in 2022. Be on the lookout next week, as more details come to light.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.


Author: Corin Faife


Author: Sophos


Author: Jai Vijayan


Author: Bill Toulas


Author: Paul Edward Parker

Ransomware Roundup: 07.15.22

Well, turns out Bandcai Namco got popped by BlackCat, patients trying to pay for their health procedures had their PII leaked, and June was a better month for ransomware defenders.

Read the Blog
No items found.

This week’s round up …

  • Doxxed: Because paying for that surgery wasn’t enough
  • BlackCat claims credit for Bandai Namco breach
  • Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
  • A new player has joined the game: Lilith ransomware
  • From North Korea, with love

Doxxed: Because paying for that surgery wasn’t enough

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

BlackCat claims credit for Bandai Namco breach

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

A new player has joined the game: Lilith ransomware

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

From North Korea, with love

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs. 

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim. 

Cyble for their research on New Ransomware Groups on the Rise.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog. 

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert

Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.